Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for custom OIDC prompts #3409

Merged
merged 1 commit into from
Mar 7, 2020
Merged

Adds support for custom OIDC prompts #3409

merged 1 commit into from
Mar 7, 2020

Conversation

klizhentas
Copy link
Contributor

This commit adds support for custom OIDC prompt values.

Read about possible prompt values here:

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Three cases are possible:

  • Prompt value is not set, this defaults to
    OIDC prompt value to select_account value to preserve backwards
    compatibility.
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
  • Prompt value is set to empty string, it will be omitted
    from the auth request.
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: ''
  • Prompt value is set to non empty string, it will be included
    in the auth request as is.
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'

Tested with Auth0 OIDC connector on teleport 4.2 enterprise.

@klizhentas
Adds support for custom OIDC prompts
6100b94 
This commit adds support for custom OIDC prompt values.

Read about possible prompt values here:

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Three cases are possible:

* Prompt value is not set, this defaults to
OIDC prompt value to select_account value to preserve backwards
compatibility.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

* Prompt value is set to empty string, it will be omitted
from the auth request.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: ''
```

* Prompt value is set to non empty string, it will be included
in the auth request as is.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

Tested with Auth0 OIDC connector on teleport 4.2 enterprise.
@benarent benarent linked an issue Mar 5, 2020 that may be closed by this pull request
Select prompt type with OIDC #3048
Closed
benarent
benarent approved these changes Mar 5, 2020
View reviewed changes
Copy link
Contributor

@benarent benarent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good. Yesterday I was considering naming this redirect_prompt when chatting with @stevenGravy, but after re-reading the OIDC Docs prompt is a better name as it's not directly related to the specifics of the redirect.

@benarent benarent added R1 sso Used for single sign on related tasks. labels Mar 5, 2020
@klizhentas
Copy link
Contributor Author

@russjones let me know when it's ok to merge, as I'm holding this until you folks release 4.2.4

@klizhentas klizhentas merged commit 47cc583 into branch/4.2 Mar 7, 2020
@klizhentas klizhentas deleted the sasha/prompt branch March 7, 2020 01:50
klizhentas added a commit that referenced this pull request Mar 8, 2020
@klizhentas
Adds support for custom OIDC prompts (#3409)
733c9b5 
This commit adds support for custom OIDC prompt values.

Read about possible prompt values here:

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Three cases are possible:

* Prompt value is not set, this defaults to
OIDC prompt value to select_account value to preserve backwards
compatibility.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

* Prompt value is set to empty string, it will be omitted
from the auth request.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: ''
```

* Prompt value is set to non empty string, it will be included
in the auth request as is.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

Tested with Auth0 OIDC connector on teleport 4.2 enterprise.
russjones pushed a commit that referenced this pull request Mar 21, 2020
@klizhentas @russjones
Adds support for custom OIDC prompts (#3409)
924dd8f 
This commit adds support for custom OIDC prompt values.

Read about possible prompt values here:

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Three cases are possible:

* Prompt value is not set, this defaults to
OIDC prompt value to select_account value to preserve backwards
compatibility.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

* Prompt value is set to empty string, it will be omitted
from the auth request.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: ''
```

* Prompt value is set to non empty string, it will be included
in the auth request as is.

```yaml
kind: oidc
version: v2
metadata:
  name: connector
spec:
  prompt: 'login consent'
```

Tested with Auth0 OIDC connector on teleport 4.2 enterprise.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benarent benarent benarent approved these changes

@webvictim webvictim webvictim approved these changes

@russjones russjones russjones approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

@stevenGravy stevenGravy stevenGravy approved these changes

Assignees
No one assigned
Labels
sso Used for single sign on related tasks.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Select prompt type with OIDC
6 participants
@klizhentas @benarent @webvictim @russjones @fspmarshall @stevenGravy